I work on application, which try to get and parse information from site was named "Super-site" for instance. Access to data I needed is restricted and is necessary user authentication. I cannot ask user to send login\password from super-site, but Super-site have possibility authentication across social-auth (twitter). I can get access token from twitter, but I am unable to understand how to auth on Super-site using twitter access-token?
You will use the 3-legged OAuth with Twitter. Here is the link from Twitter that gives you steps. How you do this is by logging to your twitter account on developer.twitter.com, from Twitter Application Dashboard click on the Twitter App to create a Access Token and Access Token Secret. Your user accessing the Super-site will be prompted to authorize access to the Application, user grants access (clicks Yes) and finally your Super-site collects the OAuth token (user need not send username/password) and accesses the site.
Your super site must use oauth flow.
Every api should have oauth authentication and it is done at server end.
https://blog.restcase.com/4-most-used-rest-api-authentication-methods/
If they have twitter you can use twitter auth flow. They have to write code to understand twitter user account linking and authorization. So you login as a twitter user if thatuser is found in database you receive token and you can call api based on twitter user authorization.
The previous versions of this spec, OAuth 1.0 and 1.0a, were much more complicated than OAuth 2.0. The biggest change in the latest version is that it’s no longer required to sign each call with a keyed hash. The most common implementations of OAuth use one or both of these tokens instead:
access token: sent like an API key, it allows the application to access a user’s data; optionally, access tokens can expire.
refresh token: optionally part of an OAuth flow, refresh tokens retrieve a new access token if they have expired. OAuth2 combines Authentication and Authorization to allow more sophisticated scope and validity control.
OAuth 2.0 is the best choice for identifying personal user accounts and granting proper permissions. In this method, the user logs into a system. That system will then request authentication, usually in the form of a token. The user will then forward this request to an authentication server, which will either reject or allow this authentication. From here, the token is provided to the user, and then to the requester. Such a token can then be checked at any time independently of the user by the requester for validation and can be used over time with strictly limited scope and age of validity.
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/twitter-logins?view=aspnetcore-3.1
Related
I am writing a service that will access a Google Nest Thermostat, and need a Google Oauth2 token in order to do so. All of the documentation I can find references a browser-driven login to identify, authenticate, and then store a token as a cookie.
All of my OAuth experience has involved receiving a secret and/or API key, and then using that against a token service to get a security token. I then use that token for subsequent API endpoints. All of the Google docs / samples tell me I have to get my "headless" service to log in via browser and get a token via a redirect, the same way I'd log in to any other service using my Google credentials. Is there a way to do this without a live browser session, i.e. just a Google endpoint that I trigger with my secret data, to get a token to use with the Google Smart Home APIs?
We have an already existing system which uses an old Auth0 server for authentication and authorization. My goal is to integrate this system with Keycloak. In the Auth0 server we assign roles to users and these roles are mapped to a group of permission scopes, eg, "account:create", "user:create", etc are assigned to role "admin". We are planning on using keycloak Authorization services to replace Auth0 authorization. For it to work, we need to use keycloak bearer tokens.
Problem is, several users make requests to our API using an api-key (fix token). We basically make a request to the Auth0 server with api-key and it returns permission for that user. As we can't ask user to change the way the interact with our API (managament decision), i'm thinking on creating a custom authenticator, so when I request token endpoint (http://{ip}:{port}/auth/realms/{realm}/protocol/openid-connect/token) with an extra api-key header, I can check if there is an user with that api-key attribute assigned and get a bearer token for that user in return. The idea is to do this internally.
Is it a correct approach? If so, how do I implement the authenticator? Once I have found the user by api-key, how do I tell the authenticator which is the authenticated user?
Better late than never! I resolved this a while ago, but I wanted to share the solution, in case it helps someone:
I saved the API keys as user attributes.
I created a custom Keycloak Authenticator that checks if there is an user with the given API key.
I created a custom direct grant flow to use the custom Authenticator that successfully authenticate the user either if an API key or usual username and password credentials are provided in the token endpoint.
As the user only knows about API keys, I used an eviction cache whose key is the API key and whose value is the bearer token.
You can find an example and more details in the following repo:
I am reading lot of cognito documentation but the thing which is confusing is the limited documentation for build Hybrid applications(cordova mobile app).
This is my understanding so far:
I can develop my own sign-in and signup screens but use the cognito user pools as a backend authentication datastore.
or I can simply plug Cognito hosted webUI for sign-in, sign up.
1) If I have to use my own, I would have to use the Amazon cog SDK API to authenticate a user, validate email during signup etc .
2) If I need to use the hosted pages from amazon, I would need to configure it to redirect to my applications homepage.
probably follow this link -->> ?
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-app-integration.html
Once the user is authenticated ,I would need to create session for logged-in user, decrypt the token which is a JWT to fetch all details about the user like user_name, etc & then tie this user to the same session.
When the user clicks on any other link in my web application, my authentication filter will need to check if the current session had any valid token and validate it. Question is how do I validate that the token in the cookie is the one which is valid and not expired. which API can be used to check if the token is a valid token.Would I need to go to cognito eveytime?
You would have to use Cognito SDKs to validate the token before you serve your resources. The SDK methods to verify the token will ensure that the token has not expired, the user belongs to the app, and to the specific user pool that is allowed access to your resources.
You can find more here - https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
If I'm creating a web application with a RESTful back end, is OAuth 2.0 really necessary given that I don't want to connect with social media (Facebook, Google+, etc.)? I'm thinking about ditching OAuth2.0 and doing the following:
Generate JWT tokens upon successful login
Store this token in redis (or database, haven't decided)
Have a filter that checks for the JWT token and matches the token with the one in redis/db.
If the token exists, allow the user to access the resource
You can manually generate JWT tokens if you wish but it would be better to let an oAuth 2.0 implementation handle the JWT generation.
You don't need to persist the token. Just check the signed signature of the JWT, there is no need to check a database as the point of a JWT is for stateless authentication.
OAuth 2.0 3 legged flow is mainly used to address a third-party application to gain resource owner access without sharing resource owner's credentials with the third party application.For example, a photo print application wants to access resource owner's (user) flicker account on behalf of resource owner without sharing the resource owner flicker account credentials.
In the traditional client-server authentication, you may consider to use OAuth 2.0 2 legged resource owner grant where OAuth 2.0 client application can request OAuth 2.0 Server to create OAuth Access Token. In this case, you can use JWT Token for OAuth Access Token. This flow is almost you have mentioned but only standard OAuth 2.0 resource owner request and response. Please refer resource owner request and response details at https://www.rfc-editor.org/rfc/rfc6749#section-4.3.2. If you use standard 2 legged OAuth flow, then client and server integration will be easy and interoperable.
If you don't want to support terminate(revoke) token operation, then you don't need to store the token in the database or any other place. In this case, the token can be self-expired but not terminated.
Even if you have a requirement for terminate token, then don't store the entire token and just store token uuid (random id) and set the token uuid in one of JWT Token Claim.
Overview
I am building a RESTful API application as mobile\web backend (let's call it MyBackendApp) and I'm looking for a contemporary solution for both Authentication AND Authorization of app users. Primary language for backend is Java. Looking at other apps, many of them offer several auth methods to user: using external to app account (e.g. Facebook, Google, Yahoo, OpenId etc.) or internal (email\password). Something like Stackoverflow has on its sign-up\sign-in. I read many sources about OAuth2, I also used to use Spring Security to implement internal user accounts and session management. But I'm having hard time putting both methods together.
Requirements
I want user to be logged in using either of following methods
with external (possibly OAuth2) Facebook-like account
using email\password
Role Based Access Control to the API methods. The MyBackendApp will have following roles: app admin, content admin, content user, content creator, developer (for other apps to use MyBackendApp API)
Like all modern mobile apps I want user stayed logged in until expiration or session revocation (if to go as described below in Current implementation thoughts, then it can be done with token revocation). And I don't want him to get to login screen everytime he opens up MyApp's mobile app
Current implementation thoughts
OAuth2
For simplicity I use here Facebook term, but assuming more general meaning: the authentication with external to MyBackendApp account from any external Provider.
My understanding is that if user already have authToken from Facebook (he has already logged in with his Facebook app) stored somewhere in his mobile device, then just get the authToken (I believe I saw method in Android SDK, please correct me if I'm wrong). Otherwise, need to go through the standard OAuth procedure to receive the authToken from the provider (Facebook). Now, having the authToken and secret key from the provider MyBackendApp can retrieve a user unique ID AND email from the token and:
if the uniqueId is already in MyBackendApp DB, then user is authenticated
and MyBackendApp allow or don't allow access to a requested REST endpoint,
based on users (defined by its uniqueId and email) Role.
if uniqueId is not in the MyBackendApp DB, then user is going through MyBackendApp
registration process, which is similar to Stackoverflow sign-up. His info gets stored in the DB
user gets assigned some role
email\password auth
Sign-Up. If user is not registered, then he goes through registration process: MyBackendApp stores email and hash of password in DB. It also assigns a Role (lets say Content Creator)
Sign-In. If user is registered and want to log in
he enters email and password in a client app (WebUI JavaScript\Android\iOS)
client app (lets call it MyClientApp) gets hash out of password (please correct me if it's not a right way) and POST it along with email to MyBackendApp over https. Edit: there is no sense to hash the password on client side. Rather than that the password will be sent as is over SSL. After that Server (MyBackendApp) will generate a hash and compare it with stored hash in DB.
having email and password MyBackendApp authentifies the user and issue authToken (possibly JWT) with userUniqueId (UUID), some expiration date.
the authToken is to be sent on every REST API request
Next time MyBackendApp receives request to some of REST endpoints it retrieves the userUniqueId, expirationDate and based on Role allow\disallow the call.
Summary
Does the approach described in the "implementation thoughts" section above make sense? Any security threats?
Some posts says that OAuth cannot be used for user authentication, e.g. here, but I didn't get why? And if not then how to provide users login using facebook\google\others account?
I definitely don't want to reinvent a bicycle, so I'm wondering is there any framework which make this task easier? I believe that Spring Security with its OAuth2 support can help a lot for implementation of OAuth2. But how does it work for both types of login (OAuth2+email\password)?
This post suggests [Apache Shiro] - is it good for the described purposes? Can it be combined with Spring Security OAuth2?
I wrote above that having the authToken and secret key from the provider MyBackendApp can retrieve a user unique ID AND email - but is it the case? Do providers include this information in the authToken?
If user of mobile device or web browser has already got the authToken (e.g. he logged in in facebook mobile app OR desktop browser stored his password) and he's already allowed MyApp in Facebook once - can he open my app being already logged in with his facebook account skipping the login procedure? How?